- Persisted sessions by cookie

- Session keys moved to constants
- Adding indices to schema
- Posting with expired cookies will persist the post body for retrying after logging back in

htdocs/index.php

@@ -39,16 +39,21 @@ define('BASE_URL', 'https://example.com/path/index.php');
 define('SCHEMA_VERSION', '20230107');
 define('RECENT_POSTS_PER_PAGE', 50);
 define('SESSION_COOKIE_TTL_SECONDS', 14 * 24 * 60 * 60); // 14 days
+define('SESSION_COOKIE_NAME', 'journal_token');
 /// If a new post matches an existing post created less than this many seconds
 /// ago, the new duplicate post will be ignored.
 define('DUPLICATE_POST_SECONDS', 10);
 define('TIME_ZONE_DEFAULT', 'America/Los_Angeles');
+define('TOKEN_BYTES', 16);
+define('SESSION_KEY_ERROR', 'error');
+define('SESSION_KEY_LAST_ACCESS', 'last_access');
+define('SESSION_KEY_POST_BODY', 'post_body');
+define('SESSION_KEY_USER_ID', 'user_id');
 
 // -- Core setup ------------------------------------------
 
-session_set_cookie_params(SESSION_COOKIE_TTL_SECONDS, httponly: true);
 session_start();
-$_SESSION['last_access'] = time(); // keep alive
+$_SESSION[SESSION_KEY_LAST_ACCESS] = time(); // keep alive
 
 function handle_error($error_level = E_WARNING, $error_message = '',
 		$error_file = '', $error_line = 0, $error_context = null): void {
@@ -65,7 +70,7 @@ error_reporting(E_ERROR);
 
 /// Logs a debug message.
 function trace(string $message): void {
-	//error_log($message, 0);
+	// error_log($message, 0);
 }
 
 // -- Data classes ----------------------------------------
@@ -185,13 +190,13 @@ class Post {
 
 /// Represents a user.
 class User {
+	public static ?User $current = null;
+
 	public int $user_id;
 	public string $username;
 	public string $password_hash;
 	public string $timezone;
 
-	public static ?User $current = null;
-
 	function __construct(array $row) {
 		$this->user_id = $row['user_id'];
 		$this->username = $row['username'];
@@ -260,15 +265,16 @@ class User {
 			return null;
 		}
 		trace("Login succeeded for {$username}.");
-		$_SESSION['user_id'] = $user->user_id;
+		$_SESSION[SESSION_KEY_USER_ID] = $user->user_id;
 		self::$current = $user;
+		Session::create($user->user_id);
 		return $user;
 	}
 
 	/// Updates self::$current from $_SESSION.
 	public static function update_current(): void {
-		if (self::any_exist() && array_key_exists('user_id', $_SESSION) && is_int($_SESSION['user_id'])) {
-			$id = $_SESSION['user_id'];
+		if (self::any_exist() && array_key_exists(SESSION_KEY_USER_ID, $_SESSION) && is_int($_SESSION[SESSION_KEY_USER_ID])) {
+			$id = $_SESSION[SESSION_KEY_USER_ID];
 			self::$current = User::get_by_id($id);
 		} else {
 			self::$current = null;
@@ -277,7 +283,103 @@ class User {
 
 	public static function sign_out(): void {
 		self::$current = null;
-		unset($_SESSION['user_id']);
+		Session::$current?->delete();
+		unset($_SESSION[SESSION_KEY_USER_ID]);
+	}
+}
+
+class Session {
+	public static ?Session $current = null;
+
+	public int $rowid;
+	public string $token;
+	public int $user_id;
+	public int $created;
+	public int $updated;
+
+	function __construct(array $row) {
+		$this->rowid = $row['rowid'];
+		$this->token = $row['token'];
+		$this->user_id = $row['user_id'];
+		$this->created = $row['created'];
+		$this->updated = $row['updated'];
+	}
+
+	/// Logs in from the journal token cookie if needed.
+	public static function check_cookie(): void {
+		if (User::$current) return;
+		if (!array_key_exists(SESSION_COOKIE_NAME, $_COOKIE)) return;
+		$token = $_COOKIE[SESSION_COOKIE_NAME];
+		trace("Found token cookie");
+		self::$current = self::get_by_token($token);
+		if (!self::$current) return;
+		$user = User::get_by_id(self::$current->user_id);
+		if (!$user) {
+			self::$current->delete();
+			return;
+		}
+		trace("Found user from cookie");
+		User::$current = $user;
+		$_SESSION[SESSION_KEY_USER_ID] = $user->user_id;
+		self::$current->touch();
+	}
+
+	public static function create(int $user_id): Session {
+		$token = bin2hex(random_bytes(TOKEN_BYTES));
+		$time = intval(time());
+		$sql = 'INSERT INTO sessions (token, user_id, created, updated) ' .
+			'VALUES (:token, :user_id, :created, :updated);';
+		$args = array(
+			':token' => $token,
+			':user_id' => $user_id,
+			':created' => $time,
+			':updated' => $time,
+		);
+		Database::query($sql, $args);
+		$session = self::get_by_token($token);
+		$session->touch(false);
+		return $session;
+	}
+
+	public function touch(bool $update_table = true): void {
+		$this->updated = time();
+		$secure = str_starts_with(BASE_URL, 'https:');
+		$expires = intval(time()) + SESSION_COOKIE_TTL_SECONDS;
+		trace('Updating cookie to ' . localized_date_string($expires));
+		setcookie(SESSION_COOKIE_NAME, $this->token, $expires, path: '/',
+			secure: $secure, httponly: true);
+		if ($update_table) {
+			$sql = 'UPDATE sessions SET updated=:updated WHERE rowid=:rowid;';
+			$args = array(':updated' => $this->updated, ':rowid' => $this->rowid);
+			Database::query($sql, $args);
+		}
+	}
+
+	public static function get_by_token(string $token): ?Session {
+		$sql = 'SELECT rowid, * FROM sessions WHERE token=:token LIMIT 1';
+		$args = array(':token' => $token);
+		return Database::query_object('Session', $sql, $args);
+	}
+
+	public static function get_by_user_id(int $user_id): array {
+		$sql = 'SELECT rowid, * FROM sessions WHERE user_id=:user_id;';
+		$args = array(':user_id' => $user_id);
+		return Database::query_objects('Session', $sql, $args);
+	}
+
+	public static function delete_all_for_user(int $user_id): void {
+		$sql = 'DELETE FROM sessions WHERE user_id=:user_id;';
+		$args = array(':user_id' => $user_id);
+		Database::query($sql, $args);
+	}
+
+	public function delete(): void {
+		$sql = 'DELETE FROM sessions WHERE rowid=:rowid;';
+		$args = array(':rowid' => $this->rowid);
+		Database::query($sql, $args);
+		$secure = str_starts_with(BASE_URL, 'https:');
+		setcookie(SESSION_COOKIE_NAME, '', 1, path: '/', secure: $secure, httponly: true);
+		unset($_COOKIE[SESSION_COOKIE_NAME]);
 	}
 }
 
@@ -484,7 +586,7 @@ function check_setup(): void {
 /// message.
 function fatal_error(string $message): never {
 	if ($_SERVER['REQUEST_METHOD'] != 'GET') {
-		$_SESSION['error'] = $message;
+		$_SESSION[SESSION_KEY_ERROR] = $message;
 		HTMLPage::redirect_home();
 	}
 	HTMLPage::render_page_start();
@@ -622,9 +724,9 @@ class HTMLPage {
 	}
 
 	public static function render_error_if_needed(): void {
-		if (array_key_exists('error', $_SESSION)) {
-			$e = $_SESSION['error'];
-			unset($_SESSION['error']);
+		if (array_key_exists(SESSION_KEY_ERROR, $_SESSION)) {
+			$e = $_SESSION[SESSION_KEY_ERROR];
+			unset($_SESSION[SESSION_KEY_ERROR]);
 			self::render_error($e);
 		}
 	}
@@ -634,9 +736,11 @@ class HTMLPage {
 	}
 
 	public static function render_post_form(): void {
+		$body = array_key_exists(SESSION_KEY_POST_BODY, $_SESSION) ? $_SESSION[SESSION_KEY_POST_BODY] : '';
+		unset($_SESSION[SESSION_KEY_POST_BODY]);
 		print(<<<HTML
 			<form id="post-form" method="POST">
-				<div class="text-container"><textarea name="body" placeholder="Your journal post here…"></textarea></div>
+				<div class="text-container"><textarea name="body" placeholder="Your journal post here…">$body</textarea></div>
 				<input type="hidden" name="action" value="post" />
 				<div class="submit-post"><input type="submit" value="Post" /></div>
 			</form>
@@ -751,6 +855,7 @@ class HTMLPage {
 // -- Main logic ------------------------------------------
 
 check_setup();
+Session::check_cookie();
 User::update_current();
 switch ($_SERVER['REQUEST_METHOD']) {
 	case 'GET':
@@ -778,6 +883,11 @@ switch ($_SERVER['REQUEST_METHOD']) {
 				$body = validate($_POST, 'body', $nonempty_str_type);
 				$author = User::$current->user_id;
 				$created = time();
+				if (!User::$current) {
+					// Not logged in. Save body for populating once they sign in.
+					$_SESSION[SESSION_KEY_POST_BODY] = $body;
+					fatal_error('Please sign in to post.');
+				}
 				Post::create($body, $author, $created);
 				break;
 			case 'createaccount':

source/create-tables.sql

@@ -7,6 +7,8 @@ CREATE TABLE config (
 	name TEXT UNIQUE,  -- variable name
 	value ANY          -- variable value
 );
+CREATE UNIQUE INDEX IF NOT EXISTS idx_config_name ON config (name);
+INSERT INTO config (name, value) VALUES ('schema_version', '20230107');
 
 DROP TABLE IF EXISTS users;
 CREATE TABLE users (
@@ -15,6 +17,7 @@ CREATE TABLE users (
 	password_hash TEXT,                          -- output of password_hash()
 	timezone TEXT DEFAULT 'America/Los_Angeles'  -- for date formatting
 );
+CREATE UNIQUE INDEX IF NOT EXISTS idx_users_username ON users (username COLLATE NOCASE);
 
 DROP TABLE IF EXISTS posts;
 CREATE TABLE posts (
@@ -23,7 +26,17 @@ CREATE TABLE posts (
 	author_id INTEGER NOT NULL,   -- user_id of author
 	FOREIGN KEY (author_id) REFERENCES users (user_id)
 );
+CREATE INDEX IF NOT EXISTS idx_posts_created ON posts (created DESC);
 
-INSERT INTO config (name, value) VALUES ('schema_version', '20230107');
+DROP TABLE IF EXISTS sessions;
+CREATE TABLE sessions (
+	token TEXT UNIQUE NOT NULL,
+	user_id INTEGER NOT NULL,
+	created INTEGER,
+	updated INTEGER,
+	FOREIGN KEY (user_id) REFERENCES users (user_id)
+);
+CREATE UNIQUE INDEX IF NOT EXISTS idx_sessions_token ON sessions (token);
+CREATE INDEX IF NOT EXISTS idx_sessions_user_id ON sessions (user_id);
 
 COMMIT;